CCO Liability: Winds of Change at the SEC?

By Scott Killingsworth
Scott.Killingsworth@BryanCave.com

“You don’t need a weatherman to know which way the wind blows.”-Bob Dylan

Chief Compliance Officer Eugene Mason recently agreed to pay $25,000 to settle SEC charges that his failure to “effectively implement” a company compliance policy was a “willful violation” of the Investment Advisers Act. Given the nature of the accused conduct, this case may signal a troublesome shift in SEC enforcement policy towards compliance officers; at the very least, it deserves a close look.

Admittedly, financial-services compliance officers are the “canaries in the coal mine” when it comes to personal liability risk. The industry is heavily regulated and replete with affirmative requirements that firms supervise those who handle customer funds, report misconduct or suspicious transactions, and file accurate disclosures. The individuals saddled with these statutory duties can find themselves on the wrong end of an enforcement action if they fail to meet legal standards, whether or not they are compliance officers.

But the SEC’s Director of Enforcement has said that compliance officers do not, by and large, have targets on their backs when it comes to preventing misconduct by others. In a speech last fall, Andrew Ceresney described the danger zones as situations when “compliance personnel have affirmatively participated in the misconduct, when they have helped mislead regulators, or when they have clear responsibility to implement compliance programs or policies and wholly failed to carry out that responsibility.”

This case feels different.

Mason’s employer, SFX Financial Advisory, provides investment advice and financial management services, including a bill-paying service, to current and former professional athletes. According to the SEC, SFX’s President embezzled about $675,000 from three customers’ bill-paying accounts over a five-year period. He was able to do this because he had signature authority over the accounts and no one else at the company was reviewing his work: as the SEC put it, he “was able to circumvent secondary review of the payments he authorized from client accounts.”

When a customer complaint alerted Mason to the embezzlement, he “promptly conducted an internal investigation,” after which SFX terminated the President and reported the crime to law enforcement. So far so good.

What did Mason do wrong? According to the SEC Order settling the case, he committed the following violations:

He “did not effectively implement” an existing compliance policy requiring that there be a review of “cash flows in client accounts.”

He failed to ensure that account cash flow reviews were done by someone other than the President, and thus caused the following statement in SFX’s brochure to be untrue: “Client’s cash account used specifically for bill paying is reviewed several times each week by senior management for accuracy and appropriateness.”

“In the midst of an internal investigation following the discovery of [the President’s] misappropriation, SFX did not conduct an annual review of its compliance program… Mason was responsible for ensuring the annual review was completed and was negligent in failing to conduct the annual review.”

Certainly this does not describe ideal CCO performance; the lack of oversight of the President’s check-writing is a glaring internal-control issue. But let’s unpack these accusations.

Effective Policy Implementation

The settlement is silent about how the President “circumvented” company policies, or how Mason could have prevented it by implementing them more “effectively.” The SEC does not say that the policies explicitly required second-person review; maybe Mason thought review by the President was sufficient or maybe he assumed that regular external audits sufficed. Or Mason may have reviewed a sample of accounts in accordance with normal auditing practices, but not the three accounts that were stolen from. He may have made the mistake of trusting his superior, or may have been intimidated and denied access to the accounts. All we really know is that he didn’t detect the embezzlement.

Most likely Mason should have recognized the control weakness, gone to the board and insisted on a full second-person review of every account. But there is no allegation that he knew of, much less ignored, any actual misconduct or even red flags. All in all, if the worst the SEC can say is that Mason failed to “effectively implement policy,” this sounds a lot like personal liability for failure to prevent someone else’s crime.

False Statement

As to the brochure’s statement that bill-paying accounts were frequently reviewed by senior management, well, the President is senior management and certainly he reviewed the accounts he was managing. Literally, the statement is true: the problem is that the senior manager in this case was untrustworthy. The SEC’s position is that in this context, “review by senior management” obviously means “independent review by senior management other than the person handling the accounts,” and that Mason “willfully” lied by not reading these words into the brochure’s statement. The SEC’s reading of the brochure may be a fair one, but given the literal truth of the brochure’s statement, this seems a tenuous foundation for what is essentially a charge of perjury.

Annual Program Review

The Investment Adviser regulations do require annual compliance program reviews. But the SEC itself notes that Mason was busy investigating the President in 2011. We do not know what staffing or resources were at Mason’s disposal but, if forced to choose, most compliance officers would prioritize an investigation of an embezzling senior officer over a routine compliance program review. The SEC does not claim that the lack of a review contributed to or prolonged the embezzlement. Nor is it clear how Mason’s “negligence” in failing to perform a review translates into a “willful” violation: for lawyers, “negligent” and “willful” are mutually exclusive. So even though this charge may be technically correct, it certainly feels like a reach.

As portrayed in the settlement, Mason’s performance was at best naïve and ineffective. And it’s possible that the SEC may have omitted additional facts that could have made its case seem more compelling. But let’s go back to Director Ceresney’s speech and compare it to what we know about this case.

Did Mason affirmatively participate in misconduct? No.

Did he “help mislead authorities,” i.e. cover anything up? No, he promptly investigated and the results were reported to authorities.

Did he “have clear responsibility to implement compliance programs or policies and wholly fail to carry out that responsibility”? Only if “wholly fail” means “fail to effectively audit one set of accounts that the President was handling.”

Does this case signal an escalation of SEC enforcement policy for compliance officers? We will have to wait and see what cases the agency chooses to prosecute over the coming months. Certainly the SEC has the power to create more precedents like this, and to move the boundaries of compliance officer vulnerability and risk, if it chooses to do so. Think about how this matter was resolved: a censure and a $25,000 fine. Compared to the cost of defending a full-bore SEC enforcement action (not to mention the risk of doing so), accepting a $25,000 fine could be the only rational choice for a compliance officer of modest means. Since every violation is also, by definition, a compliance failure, compliance officers could be abundant targets for settlements designed to “make a statement.”

For now, it seems that the winds may be changing. Poor performance may be replacing bad behavior as the threshold for SEC enforcement actions, and the result may be to hold compliance officers accountable for the misconduct of others. With the SFX case, the SEC has sent a powerful message to compliance officers under its jurisdiction. The question is, is it the right message?

Scott Killingsworth is a compliance attorney with Bryan Cave in Atlanta. He will be presenting “From Paranoia to Pollyanna: Bad News and Good News about Compliance Officer Liability” at the SCCE Compliance & Ethics Institute in October.